Article Details

Law firm 'didn't think' data theft was a breach, says ICO. Now it's nursing a £60K fine. DPP Law is appealing against data watchdog's conclusions. A law firm is appealing against a £60,000 fine from the UK's data watchdog after 32 GB of personal information was stolen from its systems. DPP Law Ltd, based in Merseyside, North West England, was attacked in June 2022. The Information Commissioner's Office (ICO) says a third-party consultancy determined that the criminal used brute-force tactics to gain entry to an infrequently used administrator's account that lacked multi-factor authentication. This was exploited to access a legacy case management system. The miscreant then moved laterally across DPP's network and stole 32 GB of data, including private details about identifiable individuals, according to the ICO. DPP only became aware of the theft when the National Crime Agency contacted it to say information relating to its clients had been posted on the dark web, said the ICO, adding that DPP "did not consider the loss of access to personal information constituted a personal data breach" and didn't report it to the ICO until "43 days after they became aware of it." Sue Christopher, chief executive of DPP Law, told us that the firm fully cooperated with the ICO investigation regarding the cyberattack in June 2022. "We disagree with the conclusions reached by the Information Commissioner's Office, and we will be lodging an appeal," she said. "DPP Law holds the Law Society quality standard, Lexcel, and is Cyber Essentials certified. This demonstrates our commitment to robust standards in both legal practice management (Lexcel) and cybersecurity (Cyber Essentials). These independent certifications are intended to assure clients and stakeholders of our adherence to best practices." In a statement, Andy Curry, director of enforcement at the ICO, claimed: "Our investigation revealed lapses in DPP's security practices that left information vulnerable to unauthorised access. "In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents." Curry said the ICO will "hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident." "Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences."